6

Since HTTP/2 is starting to get adopted by more and more sites everyday. Are there any security benefits or known risks regarding HTTP/2?

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90

2 Answers2

3

RFC 7540 Section 10 is a security consideration section that documents a number of security considerations when implementing and/or using HTTP/2. Briefly:

  • 10.1. Server Authority
  • 10.2. Cross-Protocol Attacks
  • 10.3. Intermediary Encapsulation Attacks
  • 10.4. Cacheability of Pushed Responses
  • 10.5. Denial-of-Service Considerations
  • 10.5.1. Limits on Header Block Size
  • 10.5.2. CONNECT Issues
  • 10.6. Use of Compression
  • 10.7. Use of Padding
  • 10.8. Privacy Considerations

Most of the regular security considerations for HTTP/1 are also still valid, as HTTP/2 has the same application level semantic as HTTP/1.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
2

From a cryptographic point of view, HTTP/2 requires to support at least TLS1.2 which means the communication channel will be encrypted using AEAD ciphers i.e. state-of-the-art crypto.

ATo
  • 316
  • 1
  • 5